Are your passwords strong enough to resist a brute force
attack? Passwords are just about dead. Many systems now offer “two factor
identification.” You give them your cell phone number and you have to use both
a password and a code number sent to the phone for your log in. But passwords continue. They are easy
for administrators. They are part of the common culture.
Steve Gibson has the engineer’s “knack.” (See the Dilbert video
here.) His company, Gibson Research Corporation (here), sells a wide range of computer security
products and services. He also offers many for free. Among the freebies is
Haystack: How Big is Your Haystack – and how well is your needle hidden? (here) This utility provides a metric for measuring password
security.
It is pretty easy to do yourself, if you like arithmetic. 26
upper case letters, 26 lower case, 10 digits, 33 characters (with the space) for
95 printable ASCII characters in the common set. So, if you have an 8-character password that is 95 to the 8th
power possible combinations: 6.634 times 10 to the 15th power or over
6-and-a-half quadrillion. If you could try a million guesses a second, it would
take 6.5 billion seconds or just over 200 years. (60 seconds/minute * 60
minutes/hour * 24 hours/day * 365.25 days / year* 200 years =6.3 billion .)
Gibson Research makes all of that automatic. Just key in your
password, and it tells you how long it would take to crack.
Cracking passwords is a routine activity for a hacker. They
have tools. At one meet-up for
hackers, the speaker told us, “If you have to use brute force, you are not
thinking.” They do not type in a
million guesses per second, of course. They have programs to do that. Also,
most websites just do not allow that kind of traffic: you cannot do a million
guesses per second. What the hackers do is break in to a site, such as Target, Home Depot, LinkedIn, or eHarmony, download all of the log files, and then, on their own time, let
their software attack the data offline.
Also, hackers do not use the same computers that you and I do.
They start with gaming machines because the processors in those are built for
high-speed calculation. They then gang those multiple processors to create
massively parallel computers. The
calculators from GRC show the likely outcome for brute force by both a
“regular” computer and a “massive cracking array.”
If someone got hired today at a typical midrange American
corporation, their password might just be January2016. If, like most of us, they think that are really
clever, it ends with an exclamation point: January2016! Hackers have databases of these. They
start with standard dictionaries, and add to them all of the known passwords that
they discover.
One common recommendation is to take the first letters of a
phrase known only to you and personal only to you. My mother had naturally red
hair for most of her life. She was born in 1929 and passed in 2012. So, “My
mother’s red hair came from a bottle” becomes mmrhcfab19292012. According to
Gibson Research, brute force guessing with a massive cracking array would take
over 26 centuries.
Gioachino Rossini premiered his opera, William Tell, in
1829. “William & Tell = 1829” would take a massive parallel cracking
machine about 1 million trillion centuries to guess. However, Five + One = 27 could be done in under 1.5 million
centuries.
Remember, however, that a dictionary attack will crack any
common phrase. With over 1.7
million veterans of the United States Marine Corp, someone—probably several
hundred someones—has “Semper Fi” for a password. Don’t let that be you. A brute force attack would need only 39 minutes, but that is not necessary: a cracker's dictionary should have "Semper Fi" in it already.
(Above, I said that cracking passwords is a “routine
activity” for a hacker. “Routine activities” is the name of theory of
crime. Attributed to sociologists Marcus
Felson and Lawrence E. Cohen, routine activities theory says that crime is what
criminals do, independent of such “social causes” as poverty. See Routine Activity Theory on Wikipedia here:
)
PREVIOUSLY ON NECESSARY FACTS